The European Union's General Data Protection Regulation was
celebrated as a revolution in how internet privacy could be
legislated. It was a reaction to long-term concerns in the EU
about information collection by tech giants like , and .

Known as GDPR, the regulation gave sweeping new powers to
individuals in how they can control their data, including the
right to demand that companies tell them how their data is
used, and to ask corporations to destroy their data, a tenet
of the law known as "the right to be forgotten."

The law also imposed the world's stiffest potential privacy
fines: Up to 20 million euros or 4% of a company's global
annual revenue for the previous year for the most egregious
violations. For Facebook, such an upper-level fine could
therefore feasibly reach $1.6 billion.

But one year later, GDPR hasn't lived up to its potential.

Among some consumers, GDPR is perhaps best known as a
bothersome series of rapid-fire, pop-up privacy notices.
Those astronomical fines have failed to materialize. The law
has created new bureaucracies within corporations, and with
those, tension and confusion. And it's unclear if the EU data
authority that oversees the law is adequately staffed to
handle its demands.

'Our privacy policy has changed'

"I'm kind of a conscientious objector to the notice and
consent model," said Laura Jehl, partner in the privacy and
data protection practice at law firm BakerHostetler,
referring to the GDPR framework that led to the
now-ubiquitous "we've updated our privacy policy" notice.

"It's offloading too much responsibility to the individual,"
to understand the notices and take action on them.

The notices were meant as a jumping-off point where people
could begin the journey of understanding how each of their
applications and the websites they visit use their data. But,
they have probably had the opposite effect, Jehl said. "If
you have a job, or kids, or hobbies, or a life, you can't do
that, keeping track of all that. It would be a full-time job
to protect your privacy in a notice and consent model."

Consumers are often confused as to how they can actually take
advantage of GDPR's privacy powers.

"I think it has given consumers a greater awareness of what
data is being collected about them, and a greater ability to
control that data," said Scott Pink, special counsel in the
data security and privacy practice at law firm O'Melveny
& Myers. "But now, I think there's still some lack of
clarity from consumers on exactly what they need to do."

"Consent fatigue" may be an unfortunate adverse side effect,
said Odia Kagan, chair of the GDPR compliance program at law
firm Fox Rothschild.

"I think that the importance of people understanding what is
going on with their data, and not having a surprised reaction
that somebody has their information. When you need
to click 329 toggles, that is also a problem, because you
won't want to do it. The actual process is something we still
need to work on so we don't get consent fatigue. "

Unimpressive fines so far

Google was hit with a $57 million fine in January over how it
uses , but the
company is fighting it. Facebook was fined about $645,000
which involved the alleged misuse of customers'
personal information for election research conducted by
Donald Trump's presidential campaign.

"In the beginning, a number of [EU] regulators informally
said 'we know you guys aren't ready for GDPR, and to be
honest, we're not really ready either,'" said Jehl. That
informal grace period is, however, likely coming to an end,
she said.

"The enforcement is just getting started," said Kagan. "The
higher fines are very likely going to be in connection with
very large companies with very complex structures. We haven't
seen them because they aren't done yet."

The data protection authorities have other tools as well,
which might be even costlier than fines, Kagan said.

In some cases, EU regulators can tell companies, "You have 90
days to rectify the thing you are doing wrong with the data,
or after 90 days you cannot use the data." Sometimes, even
the big fines won't make or break them, but the data will if
it is a core component of their business.

A new bureaucracy, too

GDPR introduced something new to many corporations that do
business with European clients: a data protection officer.

To be compliant with GDPR rules, companies had to hire (or
outsource) someone to lead a data protection office. This is
a tricky proposition at many companies, especially the
biggest ones, where this new role -- and the bureaucracy that
goes with it -- often overlaps with existing executive
functions, such as cybersecurity, privacy, legal, audit and
technology risk, among others.

"They have a lot of special protections that regular
[executives] don't have," explained Jehl. The data protection
officer's duty is to protect customers' data, even if that
protection goes against other business objectives, meaning
there are often different rules on how the executive can be
disciplined or dismissed, she said.

The new role is a positive step in terms of "increasing the
importance of data and privacy management, and privacy
professionals," said Pink.

"But there is still somewhat of a tension between serving
those requirements and making sure the business can make a
profit, and also ensuring that the expense of complying is
adequately funded but not too expensive."

Overwhelming to regulators

GDPR instituted a new 72-hour breach reporting guideline -- a
far tighter reporting timeline than other regulations. It
apparently panicked so many companies that they flooded --
--
the U.K. data privacy regulator by September 2018.

The issue highlights another potential problem with GDPR:
Most regulatory agencies in the EU are not staffed deal with
the legislation and its sweeping new requirements. The
of Ireland's Data
Protection Commission, which oversees implementing GDPR, was
about $18 million for 2019, and that's a 30% increase from
2018.

"I still feel like unless there is a very significant
increase in staffing, they are probably going to have to pick
and choose the enforcement actions that they bring," said
Kagan.

EU regulators have also found themselves dealing with a huge
influx of GDPR "rumors," or large-scale panics spreading
across social media, misinterpreting how the law applies to
everyday life events.

For instance, from the
Irish Data Protection Commission discussing events at schools
borders on the absurd:

"Take the scenario whereby a school wants to take and publish
photos at a sports day ­– schools could inform parents in
advance that photographs are going to be taken at this event
and could provide different-coloured stickers for the
children to wear to signify whether or not they can be
photographed," the Commission suggested. The post goes on to
discuss the possibility of schools banning photographs at a
high school musical, but suggests that might be unwieldy.

Kagan said, "a lot of things that are said about what GDPR is
doing are myths. There are tons of misconceptions."

As a result, regulators have had to spend a great deal of
time undoing myths, explaining the law's broad language and
providing guidance. She predicts they will eventually shift
this time investigating and enforcing the law.

"In the end, GDPR is all about consent and it's an approach
to privacy that is very European," said Kagan. "That's not a
mistake. It's a values statement."

Israel conducted an airstrike on a Hamas facility it said was used to launch cyberattacks...

News Fuzzer is a centralized news magazine, we are collecting the latest world news from the most popular sources and classifying it on multiple categories: International news, UK news, US news, Sport news, Cybersecurity News, Economic News, Politics, Health, Science, Cryptocurrency news and many more.